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Abstract.  Technical  systems  are  in  general  not  guaranteed 
to  work  correctly.  They  are  more  or  less  reliable.  One  main 
problem  for  technical  systems  is  the  computation  of  the  reli- 
ability of  a system.  A second  main  problem  is  the  problem  of 
diagnostic.  In  fact,  these  problems  are  in  some  sense  dual  to 
each  other. 

In  this  paper,  we  will  use  the  concept  of  probabilistic  ar- 
gumentation systems  PAS  for  modeling  the  system  descrip- 
tion as  well  as  observation  and  specifications  of  behaviour  in 
one  common  framework.  We  show  that  PAS  are  a framework 
which  allows  to  formulate  both  main  problems  easily  and  all 
concepts  for  these  two  problems  can  clearly  be  defined  therein. 
Using  PAS,  reliability  and  diagnostic  can  be  considered  as 
dual  problems.  PAS  allows  to  consider  one  common  strategy 
for  computing  answers  to  the  questions  in  the  different  situa- 
tions. 

1 Introduction  and  Overview 

One  main  problem  for  technical  systems  is  the  computation 
of  the  reliability  of  a system.  This  is  studied  in  reliability 
theory  (see  for  example  [7,  8]).  The  reliability  depends  on 
various  factors  like  the  quality  and  the  age  of  components, 
complexity  of  the  system,  etc.  The  reliability  of  a system  con- 
veys some  information  about  the  behavior  of  the  system  in 
the  future,  based  on  information  about  the  components,  for 
example  probabilistic  information  about  the  reliability  over 
time. 

A second  main  problem  for  technical  systems  is  the  prob- 
lem of  diagnostic.  Here,  the  problem  is  to  explain  the  behavior 
of  the  system,  usually  based  on  measurements  and  observa- 
tions of  some  parts  of  the  system,  together  with  the  system 
description  in  some  framework.  The  actual  observations  and 
the  description  of  the  system  are  the  only  ingredients  for  the 
computation  of  the  diagnoses.  Additionally,  if  probabilistic 
knowledge  is  available  about  the  different  operating  modes  of 
the  components,  then  the  likelihood  of  the  system  states  can 
be  defined  and  prior  as  well  as  posterior  probabilities  can  be 
computed  for  the  set  of  possible  system  states. 
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Figure  1 . Reliability  versus  Diagnostic. 


The  two  main  problems  depend  both  on  a formalization  of 
the  system  in  some  framework  together  with  either  observa- 
tions, measurements,  or  requirements  (Fig.  1).  Here,  we  will 
use  the  concept  of  probabilistic  argumentation  systems  PAS 
for  modeling  the  system  description  as  well  as  observation  and 
specifications  of  behaviour  in  one  common  framework.  The 
goal  of  a PAS  is  to  derive  arguments  in  favor  and  against  the 
hypothesis  of  interest.  An  argument  is  a defeasible  proof  built 
on  uncertain  assumptions,  i.e.  a chain  of  deductions  based 
on  assumptions  that  makes  the  hypothesis  true.  If  probabilis- 
tic information  is  available,  a quantitative  judgement  of  the 
situation  is  obtained  by  considering  the  probabilities  that  the 
arguments  are  valid.  The  resulting  degrees  of  support  and  pos- 
sibility correspond  to  belief  and  plausibility,  respectively,  in 
the  Dempster-Shafer  theory  of  evidence  [24,  20].  In  fact,  PAS 
combines  the  strengths  of  logic  and  probability  in  one  frame- 
work. In  this  paper  we  show  that  probabilistic  argumentation 
systems  are  a framework  which  allows  to  formulate  both  main 
problems,  i.e.  reliability  and  diagnostic,  easily  and  all  concepts 
therefore  can  clearly  be  defined  therein.  The  framework  will 
especially  allow  to  consider  one  common  strategy  for  comput- 
ing answers  to  the  questions  in  the  different  situations.  Some 
work  in  this  direction  but  without  using  PAS  has  been  done 
by  Provan  [22]. 

The  main  information  for  both  problems  is  the  description 
of  the  system  in  some  formalism;  we  will  focus  here  on  a for- 


malizatioii  using  logic.  In  the  case  of  reliability,  we  may  have 
a specification  which  describes  the  goals  which  have  to  be  ful- 
filled by  the  system.  This  information  will  be  used  to  compute 
the  structure  function  from  the  system  description.  Different 
specifications  may  lead  to  different  structure  functions.  Even 
in  the  absence  of  an  explicit  specification  of  a reliability  re- 
quirement, we  may  deduce  a structure  function  by  assuming 
that  the  system  should  be  functioning  at  least  if  all  compo- 
nents are  working. 

On  the  other  hand,  in  the  case  of  diagnostic,  some  obser- 
vations of  the  system  may  indicate  that  the  system  is  not 
working  as  it  is  supposed  to  be.  This  information  — together 
with  the  system  description  — allows  then  to  compute  the  di- 
agnoses of  the  system,  i.e.  minimal  sets  of  components  whose 
malfunctioning  “explains”  the  wrong  behaviour  of  the  whole 
system. 

2 Reliability 


Figure  2.  A simple  device 


Dually,  the  notion  of  a cut  is  defined  and  C denotes  the  set  of 
all  minimal  cuts. 

If  for  every  component  i = 1,2, ...  ,n  its  respective  prob- 
ability Pi  of  functioning  correctly  is  defined,  then  the  prob- 
ability that  the  system  is  functioning  can  be  computed  (as- 
suming the  components  to  be  stochastically  independent).  In 
fact,  4>(^)  is  a random  variable,  and  the  probability  p that  the 
system  is  functioning  is 


2.1  Combinatorial  Reliability 


p = E(d>(x))  = h{p). 


(3) 


In  binary  combinatorial  reliability,  a system  is  assumed  to  be 
composed  of  a number  of  different  components.  Each  com- 
ponent is  either  intact  or  it  is  down,  and  so  is  the  whole 
system  itself,  depending  on  the  states  of  its  components.  In 
order  to  formulate  this,  binary  variables  Xi  are  associated  to 
components  i = l,2,...,n  of  the  system,  where  Xi  = T if 
the  component  number  i works  and  = J-  otherwise.  Let  x 
be  the  vector  (xi,  X2, . . . , Xn)  of  the  component  states.  This 
state- vector  has  2"  possible  values.  These  values  can  be  de- 
composed into  two  disjoint  subsets,  the  set  St  of  working 
states,  for  which  the  system  as  a whole  is  assumed  to  be  func- 
tioning, and  the  set  S±  of  down-states,  for  which  the  system 
is  supposed  to  not  work  properly.  The  corresponding  system 
state  is  denoted  by  x.  Its  dependence  on  the  state-vector  x is 
described  by  a Boolean  function  d>,  defined  as 


X = 0(x) 


T ifxeSy, 
1 ifxeSx. 


The  Boolean  function  tp  is  called  the  structure  function  of  the 
system.  In  combinatorial  reliability  it  is  assumed  to  be  given 
and  it  forms  the  base  for  reliability  analysis. 

The  structure  function  p is  usually  assumed  to  be  mono- 
tone. That  is,  if  xi  < X2,  then  d>(xi)  < 0(x2).  For  a monotone 
structure  function,  a subset  P C {1, 2, . . . , n}  of  components 
is  called  a path,  if  0(x)  = T for  all  state-vectors  x for  which 
the  components  of  the  set  P are  working,  Xi  = T for  all  i & P. 
That  is,  the  elements  of  a path  are  sufficient  to  guarantee  the 
functioning  of  the  system,  regardless  of  the  state  of  the  com- 
ponents outside  the  path.  We  assume  that  the  set  {1, 2, . . . , n} 
of  all  components  is  a path  (otherwise  the  system  would  never 
be  functioning).  A path  P is  called  minimal,  if  no  proper  sub- 
set of  P is  still  a path.  Since  the  paths  are  upwards  closed  it 
is  sufficient  to  know  all  minimal  paths.  Let  V denote  the  set 
of  minimal  paths.  This  set  determines  the  structure  function. 


<^(x)  = V A (2) 

PeT  ieP 


This  logical  formula  expresses  the  fact,  the  system  is  working, 
if  all  components  of  at  least  one  minimal  path  are  working. 


Here,  p denotes  the  vector  (pi,p2, . . . ,Pn)  of  probabilities. 
/?(p)  is  called  the  reliability  function  and  its  computation  is 
a nontrivial  task  [1,  16,  5]. 


2.2  Model-Based  Reliability 

The  structure  function  describes  the  conditions  under  which 
a system  is  functioning,  depending  on  the  states  of  its  com- 
ponents. It  is  already  a compilation  of  knowledge  about  the 
system  and  its  structure.  In  this  section  we  shall  illustrate  an- 
other approach,  where  a more  physical  description  of  a system 
is  given.  Additionally,  a specification  of  the  desired  behavior 
of  the  system  is  given.  These  two  elements  will  then  allow  the 
deduction  of  a structure  function  and  its  associated  reliability 
function.  The  discussion  in  this  section  will  be  informal. 

Example  1:  Detector  of  Power  Failure 
(Example  adapted  from  [22]) 

Consider  a simple  device  which  watches  a Boolean  value  in 
and  reports  an  output  out  equal  to  T,  if  the  value  vanishes 
(becomes  T).  A simple  version  of  such  a device  is  depicted 
in  Figure  2.  The  functionality  of  this  device  can  be  described 
with  propositional  logic.  Let  in  and  out  be  the  variables  which 
denote  the  state  of  the  in-  and  output  respectively.  Both  vari- 
ables are  binary,  i.e.  represent  the  boolean  values  true  or  false 
respectively.  Further,  there  are  two  internal  variables  xi  and 
X2,  also  binary.  For  every  component  A,  B or  C,  there  is  a 
respective  binary  variable  ok  a,  oks,  and  okc  which  describes 
the  working  mode  of  the  component. 

Consider  the  inverter  A:  if  it  works  correctly  (ok a is  true), 
then  its  input  is  the  negation  of  its  output,  out  is  true  if  and 
only  in  is  false.  We  express  this  by  the  formula  in  ^ "ixi.  So 
the  entire  information  is  modeled  as  the  logical  implication 
ok  A — > {in  e->-  -ixi).  Note  that  so  far  nothing  is  said  about 
the  behavior  of  the  component,  if  it  is  down  (okA  is  false). 
There  are  several  possibilities.  One  is  that  in  this  case  the 
output  of  the  component  is  always  false,  i.e.  ^ ^xi. 

For  the  component  B,  the  same  specification  can  be  ap- 
plied. For  the  or-gate,  if  it  works  correctly,  then  the  output  is 


true  if  at  least  one  of  its  inputs  is.  So  the  whole  information 
about  the  device  is  modeled  by  a set  of  six  implications: 


1 

I"  okA  - 

(in  -^xi), 

-^ok,A  - 

--Xi, 

E = 

okp  - 

A (in  ^xs). 

-^oks  - 

-'X2, 

1 

[ okc  - 

-+  (out  Xi  V X2), 

-^okc  - 

~^out 

This  is  the  system  description.  We  add  now  a specification  of 
what  we  expect  from  the  system  to  this  physical  description  of 
the  system.  We  expect,  that  negative  (false)  input  is  detected, 
i.e.  the  output  is  true.  This  could  be  expressed  by  -im  — > out. 
However,  this  is  a weak  requirement.  It  does  not  exclude  that 
out  becomes  true,  even  if  in  is  true.  More  stringent  would  be 
the  specification  -^in  out.  This  asks  that  there  is  an  alarm 
(out)  if,  and  only  if,  in  is  false. 

We  may  now  ask  under  which  states,  described  by  the  vari- 
ables ok  A,  oks,  and  okc,  each  one  of  these  specifications  is 
fulfilled.  This  defines  the  structure  function  of  the  system  as- 
sociated with  the  corresponding  specification  of  desired  sys- 
tem behavior.  We  shall  see  in  the  next  section,  that  it  is  a 
well-defined  problem  of  propositional  logic  to  deduce  these 
structure  functions  from  the  system  description  and  the  spec- 
ifications of  desired  behavior.  © 

This  example  shows  how  the  physical  behavior  of  systems 
and  the  required  behavior  can  be  described  in  the  language 
of  propositional  logic.  We  shall  examine  this  structure  in  the 
following  section  in  a general  context. 

3 Probabilistic  Argumentation  Systems 

Probabilistic  argumentation  systems  have  been  developed  as 
general  formalisms  for  expressing  uncertain  and  partial  know- 
ledge and  information  in  artificial  intelligence.  They  combine 
in  an  original  way  logic  and  probability.  Logic  is  used  to  derive 
arguments  and  probability  serves  to  compute  the  reliability  or 
likelihood  of  these  arguments.  These  systems  can  be  used  for 
model-based  diagnostics  as  has  been  demonstrated  in  [2,  19]. 
Here  we  shall  show  how  they  relate  to  reliability  theory. 

In  this  section  we  give  a short  introduction  into  proposi- 
tional probabilistic  argumentation  systems.  For  a more  de- 
tailed presentation  of  the  subject  we  refer  to  [15].  We  remark 
also  that  such  systems  have  been  implemented  in  a system 
called  ABEL  which  is  available  on  the  internet  (cf.  [14]  for 
further  information). 

3.1  Propositional  Logic 

Propositional  logic  deals  with  declarative  statements,  called 
called  propositions,  that  can  be  either  true  or  false.  Let 
P = {pi, . . . ,pn}  be  a finite  set  of  propositions.  The  sym- 
bols Pi  & P together  with  T (tautology)  and  T (falsity),  are 
called  atoms.  Compound  formulas  are  built  by  the  following 
syntactic  rules: 

• atoms; 

• if  7 is  a formula,  then  ^7  is  a formula; 

• if  7 and  <5  are  formulas,  then  (7  A <5),  (7  V <5),  (7  — > (5),  and 
(7  <-+  <5)  are  formulas. 

By  assigning  priority  in  decreasing  ordering  to  -1,  A,  V,  — 
some  parentheses  can  be  eliminated.  The  set  Cp  of  all  formu- 
las generated  by  the  above  recursive  rules  is  called  proposi- 
tional language  over  P. 


A literal  is  either  an  atom  pi  or  the  negation  of  an  atom 
-ipi.  A term  is  either  T or  a conjunction  of  literals  where 
every  atom  occurs  at  most  once  (but  none  of  T and  T),  and 
a clause  is  either  X or  a disjunction  of  literals  where  every 
atom  occurs  at  most  once  (but  none  of  X and  T).  Cp  C Cp 
denotes  the  set  of  all  terms,  and  Dp  the  set  of  all  clauses. 

Np  = {0, 1}"  denotes  the  set  of  all  2"  different  interpreta- 
tions for  P.  If  7 6 £p  evaluates  to  1 under  x 6 Atp,  then  x is 
called  a model  of  7.  The  set  of  all  models  of  7 is  denoted  by 
Mp('y)  Cf  Np. 

A propositional  sentence  7 entails  another  sentence  <5  (de- 
noted by  7 1=  5)  if  and  only  if  Np('y)  C Np(S).  Sometimes, 
it  is  convenient  to  write  x |=  7 instead  of  x 6 Np("/).  Also 
we  write  7 |=  X if  7 is  not  satisfiable.  Furthermore,  two  sen- 
tences 7 and  S are  logically  equivalent  (denoted  by  7 = <5),  if 
and  only  if  Np(-y)  = Np(6). 

3.2  Basic  Concepts  of  Argumentation 
Systems 

Consider  two  finite  sets  P = {pi, . . . ,pni}  and  A = 
{oi, . . . , On}  of  propositional  variables  with  AnP  = 0,  the  ele- 
ments of  P are  called  propositions,  the  elements  of  A assump- 
tions. We  consider  a fixed  set  of  formulas  E C Caup  called  the 
knowledge  base,  which  models  the  information  available;  sets 
of  formulas  are  interpreted  conjunctively,  i.e.  E = /\{^  6 E}. 
We  assume  that  this  knowledge  base  is  satisfiable.  A triple 
(E,  A,  P)  is  called  a propositional  argumentation  system  PAS. 

The  elements  of  Na  are  called  scenarios  (or  system  states). 
A scenario  represents  a specification  of  all  values  of  the  as- 
sumptions in  A.  Define  now: 

Inconsistent  Scenarios:  CSaC^)  :=  {s  € Na  : s,  E ]=  X}, 
Quasi-Supporting  Scenarios  of  h E Cn- 

QS^ih,  E)  :=  {s  eNA-.s,E\=h}, 
Supporting  Scenarios  of  h € Cn'- 

SPA(h,E)  :=  QSA(h,E)  - CSa(E), 
Possible  Scenarios  for  h E Cn- 

PLA(h,E)  :=  .9PA"(-h,E). 

Inconsistent  scenarios  are  in  contradiction  with  the  know- 
ledge base  and  therefore  to  be  considered  as  excluded  by  the 
knowledge.  Supporting  scenarios  for  a formula  h are  scenar- 
ios, which,  together  with  the  knowledge  base  imply  h and 
are  consistent  with  the  knowledge.  So,  under  supporting  sce- 
narios, the  hypothesis  h is  true.  Possible  scenarios  for  h are 
scenarios,  which  do  not  imply  ~^h  and  thereby  do  not  refute  h. 
Quasi-supporting  scenarios  for  h are  the  union  of  supporting 
scenarios  and  inconsistent  scenarios. 

Scenarios  are  the  basic  concepts  of  assumption-based  rea- 
soning. However,  sets  of  inconsistent,  quasi-supporting,  sup- 
porting and  possible  scenarios  may  become  very  large.  There- 
fore, more  economical,  logical  representations  of  these  sets  are 
needed.  For  this  purpose,  the  following  concepts  are  defined: 

Set  of  Supporting  Argument  for  h: 

SP(h,T.)  = [a  E Ca  : NA(a)  C SPA(h,T,)}, 

The  sets  of  quasi-supporting  and  of  possible  arguments  are 
defined  analogously.  Remark  that  supporting  arguments  are 
similar  to  paths  for  structure  functions  in  reliability  the- 
ory. This  similarity  will  be  exploited  later.  These  sets  are 


all  upward  closed.  Hence  the  sets  of  arguments  are  al- 
ready determined  by  their  minimal  elements.  We  denote  by 
^,QS{h,Y,),  fj£P(h,T,)  and  E)  the  sets  of  minimal 

quasi-supporting,  supporting  and  possible  arguments.  Fur- 
ther, 

Conflict:  con/(E)  :=  \/ 

Support  of  hi  sp{h,  S)  \f  a, 

ceiiSP{h,s) 

Quasi-support  qs(h,  E)  and  possibility  pl{h,  E)  are  defined 
analogously.  Clearly,  any  formula  which  is  logically  equivalent 
to  logical  representations  above  can  be  used  as  a representa- 
tion. 

Example  2:  ( Cont.  of  Example  1 ) 

The  information  of  Example  1 is  modeled  in  an  argu- 
mentation system  as  follows:  A = {ofea,  ofcg,  ofec},  P = 
{in,xi,X2,out}  and  E as  in  (4).  There  are  no  incon- 
sistent scenarios  and  for  h = -^in  — > out  we  have 
Q5'^(/i,E)  = {(0, 1,1),  (1,0, 1),  (1,1,1)}  and  PLA{h,T.)  = 
Na-  As  C5'yi(E)  = 0,  we  have  QSa  = SPa  in  this  situation 
and  there  are  some  arguments  in  favor  of  the  hypothesis,  but 
none  against  it.  Hence,  qs(h,  E)  = (okA  A okc)  V {oks  A okc) 
and  p/(/),,  E)  = T.  © 

3.3  Probabilistic  Information 

On  top  of  the  structure  of  a propositional  argumentation  sys- 
tems, we  may  easily  add  a probability  structure.  Assume  that 
there  is  a probability  p{ai)  = Pi  for  every  assumption  at  e A 
given.  Assuming  stochastic  independence  between  assump- 
tions, a scenario  s = (si, . . . , s„)  gets  the  probability 

n 

p{s)  = \[pl*{l-Pif^'‘'.  (5) 

i=l 

This  induces  a probability  measure  p on  Ca, 
p{f)  = p{s) 

s€NaU) 

for  / 6 Ca-  a quadruple  (E,  A,  P,  H)  with  H = (pi, . . . ,p„)  is 
then  called  a probabilistic  (propositional)  argumentation  sys- 
tem PAS. 

The  problem  of  computing  the  probability  p{f)  is  similar  to 
the  problem  of  computing  the  reliability  of  a structure  func- 
tion, except,  that  rnonotonicity  cannot  be  assumed  in  general; 
for  algorithms  for  efficiently  computing  the  probability  p(/) 
see  [20,  9,  13]. 

Once  we  have  such  a probability  structure  on  top  of  a 
propositional  argumentation  system,  we  can  exploit  it  to  com- 
pute likelihoods  (or  in  fact,  reliabilities)  of  supporting  and 
possible  arguments  for  hypothese  h.  First,  we  note,  that  E 
imposes  that  we  eliminate  the  inconsistent  scenarios  and  con- 
dition the  probability  on  the  consistent  ones.  In  other  words, 
E is  an  event  that  restricts  the  possible  scenarios  to  the  set 
Na  — CS'a(E),  hence  their  probability  has  to  be  conditioned 
on  the  event  E.  This  conditional  probability  is  defined  by 


for  consistent  scenarios  s.  p(qs(h,  E))  = dqs(h)  is  the  so-called 
degree  of  quasi-support  for  h.  Now,  the  degree  of  support  dsp 
for  hypotheses  h is  defined  by 


dsp{h)  = p{sp{h,  E)) 


dqs(h,  E)  — dqs{±,  E) 
1 — dqs(±,  E) 


This  result  explains  the  importance  of  quasi-support.  It  is 
sufficient  to  compute  degrees  of  quasi-supports.  Further,  we 
obtain  the  degree  of  plausibility  of  h, 


dpl{h)  = p'iplih,  E))  = \ ^ ^ 


Degree  of  quasi-support  dqs(h)  and  of  support  dsp(h)  corre- 
spond in  fact  to  unnormalized  and  normalized  belief  in  the 
Dempster-Shafer  theory  of  evidence  [24,  20,  15]. 


3.4  Computational  Theory 

Computing  quasi-supports  is  the  basic  operation  in  PAS.  It 
can  be  based  on  resolution  and  variable  elimination  (forget- 
ting) [15,  12,  13].  In  the  sequel,  we  will  sketch  some  of  the 
main  concepts  for  computation. 

First,  note  that  the  computation  of  qs(h)  can  be  reduced  to 
the  computation  of  the  conflicts  with  respect  to  an  updated 
knowledge  base:  qs(h.,T,)  = gs(±,E  U {“'/),}).  So  for  any  hy- 
pothesis h,  the  quasi-supporting  arguments  qs{h,Yl)  can  be 
determined  by  computing  the  conflicts  with  respect  to  the 
knowledge  base  E U Hence  in  the  sequel,  we  focus  on 

the  computation  of  the  conflicts  with  respect  to  a general 
knowledge  base. 

The  ideas  presented  in  the  sequel  are  based  on  representa- 
tions of  knowledge  in  conjunctive  normal  form  (CNF),  i.e.  a 
conjunction  of  clauses.  The  main  step  is  based  on  the  princi- 
ple of  resolution.  Let  x € A U P.  A disjoint  decomposition  of 
E is  then  defined  as  follows: 

E+  = € E : X € Lit{fO} 

E“  = e E ; ^x  € iit(C)} 

= {C  € E : X ^ Lit{(,)  and  -'X  ^ Lit{(,)} 

LitCE)  denotes  the  set  of  all  literals  occurring  in  E.  A literal 
is  either  a (positive)  atom  or  a negated  atom. 

Consider  two  clauses  = x V <5+  and  = -■x  V 5^  in  E+ 
and  E“  respectively.  The  clause  p(C'^,  ^“)  = <5^  V is  called 
the  resolvent;  note  that  we  simplify  implicitly  the  resolvent 
so  that  is  again  a clause,  i.e.  double  occurrences  of 

atoms  etc.  are  simplified. 

Eliminating  a variable  x € P U A from  E means  now  to 
compute 

Elim^iT.)  = p(eS  U {pii+,r)  ■■  t 6 SJ,  e S"}) 

Consider  a set  Q C PuA.  We  define  now,  for  Q = {qi 

ElimQfE)  = Elimq,.(. . . (Elirriq^  (Elimq^  (S))) . . .) 

The  result  does  not  depend  on  the  very  order  of  the  elimina- 
tion of  atoms;  yet  note  that  the  computations  depend  criti- 
cally on  a “good”  ordering,  see  [15]  for  a discussion  as  well  as 
relations  to  the  theory  of  local  computation  (in  the  sense  of 
Shenoy  & Shafer  [25]). 

This  allows  then  to  compute  the  quasi-supporting  argu- 
ments of  a knowledge  base  E as  follows: 


Theorem  1 ([15]) 

QS^ih,  E)  = N’X{Elimp{J:  U {^h})) 


With  this  less  complete  model,  the  structure  function  of  the 
two  specifications  above  become  different, 


In  other  words,  this  theorem  asserts  that 

qs{h,  E)  = ^ yy  Elimp{T,  U {^h}). 

The  concept  of  elimination  allows  to  compute  quasi- 
supporting and  therefore  also  supporting  as  well  as  possible 
arguments  for  hypotheses.  This  notation  connects  the  con- 
cepts presented  here  to  the  more  general  theory  of  valuation 
algebras,  a general  theory  for  representing,  combining  and  fo- 
cusing pieces  of  information  [18,  21], 

4 Reliability  Analysis  Using  Probabilistic 
Argumentation  Systems 

4.1  Reliability  based  on  Requirement 
Specification 

We  discuss  now  how  probabilistic  argumentation  systems  can 
be  used  to  formulate  and  solve  reliability  problem.  The  ba- 
sic idea  is  simple:  The  system  behavior  is  described  in  terms 
of  the  states  of  its  components.  In  addition  the  desired  or  re- 
quired behavior  of  the  system  is  specified.  The  system  descrip- 
tion forms  a probabilistic  argumentation  system.  The  ques- 
tion is  then:  how  likely  (probable)  is  it,  that  the  specified 
requirement  is  satisfied?  In  order  to  answer  this  question,  the 
specification  of  required  behavior  is  taken  as  a hypothesis. 
The  support  of  this  specification  determines  then  essentially 
the  structure  function  of  this  reliability  problem,  and  the  de- 
gree of  support  of  the  specified  requirement  is  the  reliability 
of  the  system  with  respect  to  the  required  behavior.  Note 
that  — depending  on  different  goals  a system  should  attain, 
or  services  it  should  provide  — different  requirements  may 
be  formulated.  So  the  corresponding  reliability  analysis  has 
to  be  differentiated,  but  can  be  carried  out  within  the  same 
framework  of  probabilistic  argumentation  systems. 

Example  3:  ( Cont.  of  Example  1 ) 

We  have  already  formulated  S and  two  different  specifications 
(5i  = ^in  — > out  and  ^2  = out.  We  can  compute  the 

supports  of  these  two  specifications.  It  turns  out,  that  both 
are  the  same, 

sp{Si,  E)  = sp{S2,  E)  = {ok A A okc)  V {oks  A okc). 


sp((5i,  E')  = {okA  A okc)  V {okp  A okc), 

sp{52,  E')  = okA  A oks  A okc- 


Now,  the  stronger  requirement  S2  can  only  be  guaranteed  if 
all  three  components  work  correctly  (a  series  system),  whereas 
the  weaker  one  still  has  the  same  redundancy  as  before.  0 

In  the  general  case,  we  have  a PAS  (E,A,  P),  where  the 
assumable  symbols  in  A correspond  to  the  components  of  the 
system.  Positive  assumptions  correspond  to  working  compo- 
nents. Accordingly  in  the  context  of  reliability  analysis,  we 
shall  call  the  scenarios  of  this  argumentation  system  system 
states.  The  propositional  symbols  in  P are  needed  to  describe 
the  system  behavior.  We  assume  that  the  system  descrip- 
tion E excludes  no  system  states,  that  is  there  are  no  con- 
flicts, (3.94(4,  E)  = 0.  A knowledge  base  E which  satisfies 
this  is  called  A-consistent. 

The  required  behavior  is  specified  by  a formula  S.  Usually  S 
will  not  contain  assumptions,  but  there  is  no  reason  to  exclude 
this  in  general.  S formulates  a reliability  goal.  There  may  be 
several  such  goals. 

The  set  of  system  states  SPa{S,  E)  supporting  S contains  all 
states  guaranteeing  the  required  specification  from  the  sys- 
tem description.  Its  complement  SPa‘’(S,'E)  = PLa{-^S,'E) 
contains  the  system  states  where  this  guarantee  is  no  more 
assured.  These  are  the  unreliable  states.  So  SPa{S,  E)  defines 
the  structure  function  associated  with  the  specification  6 


s = 4>s,s(s) 


T ifs  6 ,9Pa(<5,E), 
4 ifs^  .9Pa(<5,E). 


The  index  S in  4>s,b  will  be  omitted  if  E is  clear  from  the  con- 
text. Here,  s denotes  the  “system  state”,  which  is  T,  when  the 
reliability  specification  is  assured  and  4 otherwise.  Since  the 
set  SPa  (<5,  E)  has  a logical  representation  based  on  minimal 
arguments,  the  same  holds  for  the  structure  function  cf>s, 


<ps  = \/a  = sp{S,E)  (7) 


In  the  same  way,  based  on  minimal  possible  arguments 
PL{^5,  E),  we  obtain 

-^4>s^  \/ /3  =pl{^6,E). 


Note  that  this  is  just  the  path  representation  of  the  expected 
structure  function.  In  fact  this  structure  function  could  be 
reformulated  as  {okA  V okp)  A ofec,  which  shows  that  it  is  a 
series  system  composed  of  component  C and  a parallel  module 
of  the  components  A and  B.  The  remarkable  fact  is,  that  this 
structure  function  has  been  automatically  deduced  from  the 
system  description  and  the  specification  of  requirements. 

The  system  description  is  an  essential  element  for  this  anal- 
ysis. If  it  is  changed,  then  this  may  influence  the  results  of  the 
analysis.  Suppose  that,  in  contrast  to  the  model  above,  we  do 
not  know  how  the  faulty  components  behave.  The  knowledge 
base  becomes  now 

j,'  _ i okA  {in  ^ ^xi),  oks  {in  ^ -10:2),  ) 

I okc  {out  x\W  X2).  j 


By  de  Morgan  laws  this  transforms  into 

<Ps=  /\^I3.  (8) 

(■iepPL{-,S,T,) 

Note  that  -i/9,  the  negation  of  a term,  is  a clause.  This  is  a 
second  logical  representation  of  4>s. 

A comparison  with  the  minimal  path  and  minimal  cut  rep- 
resentation of  monotone  structure  functions  (2)  shows  that 
minimal  supporting  arguments  a for  6 and  minimal  possible 
arguments  /3  for  play  a role  similar  to  minimal  paths  and 
minimal  cuts. 

According  to  our  assumption  of  A-consistency,  we  have 
QS^{±,E.)  = 9.  Thus 

SPa{6,E)  = QSJ±,EU{^6}). 


(9) 


On  the  other  hand,  we  have  also 

PLaH,  E)  = QSa‘^(±,  E U {-<5}).  (10) 

This  shows,  that  a reliability  analysis  of  a system  E relative 
to  a requirement  specification  <5,  requires  essentially  the  com- 
putation of  the  conflict  states  EU  {-k5}).  We  shall  see 

below,  that  this  is  exactly  also  what  is  required  for  diagnosis. 
This  is  a first  hint  to  the  duality  between  the  problems  of 
reliability  and  diagnosis. 

Once  probabilities  for  the  assumptions,  i.e.  component 
availabilities  or  reliabilities  are  defined,  system  reliability  rel- 
ative to  a specification  <5  is  simply  the  degree  of  support  of  (5, 
(since  (5S)i(T,E)  = 0),  i.e. 

ps,-E  = dsp{6,  E)  = dqs{6,  E)  = p(Q5^(T,  E U 

4.2  Implicitly  Defined  Reliability 

A specification  S is  called  consistent  with  the  system  descrip- 
tion E,  if  the  system  state  1 belongs  to  SPa{6,'E)-  In  this  sec- 
tion we  only  consider  specifications  consistent  with  the  system 
description. 

A system  description  S often  contains,  besides  assumptions, 
another  set  O of  special  propositional  atoms,  namely  those 
which  are  observable.  Then  specifications  6 can  be  assumed 
to  be  formulated  with  observables  only,  6 6 Co-  Observables 
are  typically  input  and  output  variables  of  some  system. 

Assume  now,  that  in  a system  description  (E,  P,  A)  a set 
of  observable  variables  O is  singled  out.  Usually,  O C P,  i.e. 
component  states  can  not  be  observed  directly.  But  it  does  no 
harm  to  assume  more  generally  O C P \J  A.  Then  we  define 
an  implicit  specification 

S = Elim,(^AuP)-o{^  U {ai  A 02  A • • • A o„}). 

That  is,  6 represents  all  the  functionality  of  the  system  in 
terms  of  observables  which  can  be  obtained  from  a system 
with  all  components  working.  We  call  this  the  implicit  relia- 
bility specification  with  respect  to  O.  Now,  the  system  may  be 
— with  respect  to  this  specification  — as  good  as  “new”  also 
for  some  states  including  faulty  components.  Therefore  we 
define  the  implicit  structure  function  by  the  set  of  up-states 
relative  to  5,  i.e.  5Pn(5,E).  Hence,  we  obtain 

4>6=  \j  a,  or  4>-^=  f\ ^j3. 

aSl^SP(S,S)  0eiiPL(^S,B) 

Accordingly,  the  implicit  reliability  of  such  a system  can  be 
obtained  as  the  degree  of  support  dsp{6,'E).  This  approach 
helps  to  decide  whether  a system  has  some  implicit  redun- 
dancy, namely,  whether  4>g  represents  simply  a series  system, 
i.e.  pSP(d,  E)  has  only  the  set  of  all  assumptions  as  minimal 
supporting  argument  for  S. 

Lemma  2 If  6 e Co  is  a consistent  specification  with  respect 
to  E,  then  5 |=  <5.^ 

This  shows  that  S is  the  most  stringent,  consistent  speci- 
fication over  observables  O.  For  all  specifications  over  O the 
implicit  specification  has  least  reliability: 

^ For  proofs  see  [6]. 


Lemma  3 IfSe  Co  is  a consistent  specification  with  respect 
to  E,  then  SPa{5,T.)  C SPa{6,C). 

Corollary  4 If  6 E Co  is  a consistent  specification  with  re- 
spect to  E,  then  pg  <ps- 

5 Mo  del- Based  Diagnostic 

5.1  Duality  Between  Reliability  and 
Diagnostics 

A problem  of  diagnostics  arises  if  an  observation  indicates 
that  a requirement  specification  S is  violated.  Then  the  ques- 
tion is:  how  can  the  required  functionality  be  recovered?  That 
is,  one  would  like  to  find  out  those  components  whose  fail- 
ure caused  the  system  failure  and  which  have  to  be  fixed  or 
replaced.  This  analysis  will  be  based  on  the  system  descrip- 
tion E and  on  the  specification  S which  is  violated. 

In  fact,  we  ask,  which  system  states  are  compatible  or  con- 
sistent with  the  system  description  E and  the  violation  of  the 
specification  5,  expressed  by  -^S.  Well,  these  are  of  course  all 
states  which  are  consistent  with  E U that  is  the  set 

QSa"(±,  E U {-<5})  = PLaH,  E).  (11) 

Remark  that  this  is  exactly  the  set  of  down  states  relative  to 
the  specification  S (see  (10)).  Here  we  have  the  basic  duality 
between  reliability  analysis  relative  to  a requirement  speci- 
fication S and  the  diagnostic  problem  relative  to  the  same 
specification.  The  conflict  set  QS4(±,E  U {“'5})  is  the  com- 
putational key  to  both  reliability  analysis  and  diagnostics.  It 
gives  the  up-states  which  define  reliability  and  its  complement 
gives  the  possible  states  explaining  the  violation  of  the  relia- 
bility specification,  i.e.  possible  diagnostics.  It  is  well  known 
in  model-based  diagnostics  that  such  conflict  sets  play  a key 
role  [23,  10,  19].  The  duality  implies  that  they  play  an  equally 
important  role  for  model-based  reliability. 

If  the  structure  function  is  monotone,  then  to  the  min- 
imal possible  arguments  (3  € p,PL{^6,  E)  correspond  the  min- 
imal cuts  -'/I.  They  represent  minimal  sets  of  failed  compo- 
nents, which  explain  the  violation  of  the  specification  S,  inde- 
pendently on  the  state  of  the  other  components. 

Minimal  cuts  correspond  to  kernel  diagnoses  in  model- 
based  diagnostics  [23].  Usually  model-based  diagnostics  goes 
not  beyond  such  concepts  of  diagnostics.  It  neglects  the  im- 
portant role  of  probability.^  The  observation  of  the  violation 
of  the  specification  ^5  in  fact  defines  the  event  QS)i''(_L,  E U 
{-1^})  in  the  sample  space  Na  - That  is,  the  prior  probabilities 
p(s)  defined  on  the  states  have  now  to  be  conditioned  on  this 
event.  This  gives  us  the  posterior  probabilities 

„(sh5)  = M (12) 

^ 1-p{QSa{±,Cu{-.S}))  dpl{-.S,E)'  ^ ^ 

for  diagnostic  states  s 6 Q5'^(±,E  U {“'<5}).  This  underlines 
once  more  the  key  role  of  the  conflict  set  Eu{^(5}).  Its 

prior  probability  is  sufficient  to  compute  the  posterior  proba- 
bilities of  the  possible  diagnostic  states  explaining  the  viola- 
tion of  <5. 

^ See  however  [19,  3]  for  a discussion  of  this  subject,  and  es- 
pecially [19]  for  the  problems  of  the  approach  of  De  Kleer  & 
Williams  [11].  Other  approches  focus  for  example  on  minimal 
entropy  [26]  or  on  restricting  the  device  to  have  a Bayesian  net- 
work model  [17]. 


These  posterior  probabilities  represent  important  addi- 
tional diagnostic  inforination.  For  example  we  may  look  for  di- 
agnostic states  with  maximal  posterior  probability,  s is  called 
a maximal  likelihood  state,  if 

p(s|^<5)  = max  p(sl-i(5).  (13) 

seQs^c(a,su{^«}) 

There  may  be  several  such  states.  They  represent  most  likely 
states  explaining  the  violation  of  <5. 

Reiter  [23]  proposed  to  look  especially  at  possible  diagnos- 
tic states  with  a minimal  number  of  faulty  components.  In- 
tuitively this  makes  sense:  The  failure  should  be  explained 
with  a minimal  number  of  down  components.  If  s is  a state, 
we  define  to  be  the  set  of  its  negative  (down)  compo- 
nents. Then  we  define  a partial  order  between  states:  s'  < s 
if  s'~  C s~ . Reiter  diagnoses  are  now  those  diagnostic  states 
s e U {^<5}),  which  are  minimal  with  respect  to 

this  partial  order.  We  make  the  reasonable  assumption  that 
for  every  component  i we  have  pi  > 0.5  such  that  pi  > 1—pi. 
I.e.  it  is  more  probable  that  a component  works  than  that 
it  is  down.  Then  s'  < s implies  that  p(s'|-i(5)  > p(s|-i(5).  So 
maximum  likelihood  states  are  Reiter  diagnoses.  The  inverse 
of  course  does  not  hold  necessarily.  Also,  if  the  structure  func- 
tion 4>s  is  monotone,  the  of  Reiter  diagnoses  correspond  to 
minimal  cuts  relative  to  the  specification  6. 

The  posterior  fault  probabilities  of  the  components, 
p(-'a.i|-'(5),  are  also  of  interest.  The  larger  this  probability, 
the  more  critical  is  component  i for  the  requirement  specifi- 
cation S.  So  this  is  a possible  importance  measure  for  com- 
ponent i relative  to  the  specification  (for  other  importance 
measures  see  [4]). 

Example  4:  ( Cont.  of  Example  1 ) 

Suppose  we  observe  that,  although  ->m,  we  have  also  ^out, 
i.e.  a power  system  failure  is  not  detected.  Note  that  -^in  A 
-^out  = -'(5i  (cf.  Example  3).  So  we  consult  the  minimal  cuts 
relative  to  the  specification  -i(5i.  There  are  two  minimal  cuts: 
{-'o/cc}  and  {-■ofeyi, -'o/cb}-  To  any  minimal  cut  corresponds 
a Reiter  diagnosis,  namely,  {okA,okB,~<okc}  to  the  first  cut, 
and  {^okA,^okB,okc}  to  the  second  one.  One  of  these  two 
diagnoses  must  be  the  maximum  likelihood  state.  The  first  one 
has  prior  probability  0.99x0.99x0.05  = 0.049,  the  second  one 
0.01  X 0.01  X 0.95  = 0.000095.  So  clearly,  the  first  one  is  by  far 
the  most  likely  state.  The  posterior  probability  is  obtained  by 
dividing  the  prior  probability  by  the  unreliability  0.05  relative 
to  <5i.  We  obtain  for  the  maximum  likelihood  state  a posterior 
probability  of  0.98.  © 

5.2  Diagnostics  Based  on  Observations  of 
System  Behavior 

The  actual  observation  is  not  necessarily  the  negation  of  a sys- 
tem requirement,  but  may  be  something  stronger,  which  im- 
plies the  violation  of  a specification.  Indeed,  as  we  saw  in  Ex- 
ample 4 we  observed  ^inA^out  = ^Si,  but  -imA-iowt  |=  ^62- 
So,  we  should  reconsider  the  duality  between  reliability  and 
diagnostics.  In  fact,  assume  that  we  make  some  observation 
of  the  system  behavior,  expressed  in  a formula  ca  over  observ- 
ables. Then  we  may  test  whether  u |=  -ifc.  If  this  is  the  case, 
then  we  have  a diagnostic  problem,  in  the  sense  that  at  least 
one  component  must  be  down. 


The  solution  of  this  diagnostic  problem  is  found  along  sim- 
ilar lines  as  in  the  previous  section.  Possible  states  are  those, 
which  are  consistent  with  the  system  description  and  the  ob- 
servation. Or,  in  other  words,  the  states  in  the  conflict  set 
QSj^{±,  S U {ta})  are  those  which  are  excluded  by  the  obser- 
vation. So,  the  possible  diagnostic  states  are  those  of  the  set 
Piyi(ta,E)  = {ca}).  We  see  that  this  diagnostic 

problem  is  dual  to  a (fictitious)  reliability  problem  with  a “re- 
quirement” specification  -ia>.  Note  that  the  specification  ^ca  is 
always  consistent  with  S,  since  & is  consistent  and  ca  |= 

Of  course,  we  get  a much  sharper  diagnostic  with  an  ob- 
servation la  1=  -i5,  than  with  the  information  of  -^S  only.  This 
follows,  because  according  to  Lemma  3,  we  have  PLa{ui,  E)  C 
PLa{5,'£,).  So,  the  more  precise  the  observation,  the  more 
states  are  eliminated.  A mere  statement  that  a given  reliabil- 
ity specification  is  violated  is  less  informative  than  a precise 
observation  implying  a violation  of  a requirement  specifica- 
tion. 

6 Combining  Diagnostic  and  Reliability 

We  conclude  this  discussion  of  duality  between  reliability  and 
diagnostics  by  remarking  that  we  may  have  an  observation  of 
the  system  behavior  which  does  neither  entail  a specification  <5 
nor  its  violation  But  still  this  observation  is  information 
and  we  can  use  it  to  improve  reliability  analysis  and  also  to 
perform  a preventive  diagnostic  analysis  (see  [6]).  For  relia- 
bility as  well  as  for  diagnostic,  additional  measurements  — 
or  more  generally  any  additional  information  — can  be  taken 
into  account  in  the  framework  presented  above  and  helps  to 
focus  the  reasoning. 

7 Conclusions 

In  this  paper  we  have  shown  how  closely  reliability  and  model- 
based  diagnostic  are  connected.  The  framework  of  probabilis- 
tic argumentation  system  appears  to  be  a framework  which 
covers  both  approaches.  Therefore  the  generic  structure  of 
PAS  can  be  used  for  solving  problems  in  both  domains.  The 
approaches  can  even  be  combined  and  the  information  spec- 
ified can  be  used  in  the  common  framework.  Further,  from 
the  system  description  of  an  argumentation  system,  we  can 
derive  the  appropriate  structure  function  and  — if  desirable 
— take  into  consideration  a reliability  requirement.  PAS  al- 
lows to  use  local  computation  architectures  and  approxima- 
tion techniques  [25,  15].  This  complements  the  computational 
theory  of  reliability  theory. 
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